TrueCrypt & Keyfiles

Discussion in 'privacy technology' started by JimmySausage, Jul 31, 2013.

Thread Status:
Not open for further replies.
  1. JimmySausage

    JimmySausage Registered Member

    Joined:
    Apr 11, 2010
    Posts:
    53
    Would I be correct in assuming that if you encrypt a container with a keyfile, even if the NSA was lucky enough to crack the pass-phrase in a few years time it would do them no good with out access to the keyfile?
     
  2. Fontaine

    Fontaine Registered Member

    Joined:
    Jan 29, 2008
    Posts:
    245
    There are Truecrypt experts on here who can provide a more detailed answer, but with a keyfile, your truecrypt container would be next to impossible to crack.
     
    Last edited: Jul 31, 2013
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    JimmySausage,

    I don't believe your assumption is correct. The keyfile is really only a password substitute. If the Gov gets to the point where they are able to crack a long and secure password (more accurately the entire algo), than the keyfile will almost certainly not hold up either.

    If you look through the source code it could be argued that passwords (long, secure, highly entropic, etc..) are superior to a keyfile by far.

    In my experience keyfiles seem superior because most crypto users are lazy and sloppy with simple weak passwords. If AES or any algo employed in TC is broken over time the password/keyfile will not really matter.
     
  4. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    If the algo gets broken, all bets are off. IMO, a keyfile adds truly pseudo-random data to a pass phrase (that is if you don't just use a keyfile...which is krazy! :D ) I like to generate one with TC, then zip it with 7zip using AES-256...overkill, I know. Combined with a Yubikey, it's the best protection against brute force that I can think of.

    Pass phrase in your long term memory, 32 characters as random as possible.

    32 more characters, generated by KeePass (using all character types), programed onto a Yubikey. (TC will only accept 64 characters max in the pass phrase box).

    ...And a Keyfile.

    Brute force that :D

    PD
     
  5. JimmySausage

    JimmySausage Registered Member

    Joined:
    Apr 11, 2010
    Posts:
    53
    The point about the password substitute is very informative. Basically, if they get to that point all bets are off.
     
  6. Fontaine

    Fontaine Registered Member

    Joined:
    Jan 29, 2008
    Posts:
    245
    Someone correct me if I'm wrong, but there is a big difference between "cracking" a passphrase, and cracking the encryption algorithm.

    Encryption algorithms such as AES, as far as we know, are secure and have not been broken. Assuming the encryption algorithm is secure and has been implemented properly by the software developer, the vulnerability then becomes the passphrase. I just don't see how an encrypted volume with a keyfile, even if the user is using a medium to weak password, can be cracked in any reasonable amount of time by any person or organization.
     
  7. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Well look at it this way: If they can get your container, then it's possible they can get your keyfile (search warrant). If you then have a weak pass phrase, game over.

    If it's called "Keyfile", bad news. If it's the only file on a USB drive, bad news.

    That's why I like to populate a USB drive with as many files as it will hold...and use *one* of them as a keyfile.

    A. It's off the machine, so any compromise of your box can't get it (generally, but if you have malware, you're pretty much toast).

    B. If they get the USB drive (search warrant), they still have to go through 200,000 files or so, *with the correct pass phrase*. Heck, with a 16 Gig USB drive, you could copy the Windows folder to it, and use one of those :D

    C. Nothing says you can't use two, three, four keyfiles, some on the machine, and some off...possibilities are endless, depending on your threat model.

    D. With a Yubikey and keyfiles, you only need to be able to destroy one of them, to render access impossible.

    PD
     
  8. JimmySausage

    JimmySausage Registered Member

    Joined:
    Apr 11, 2010
    Posts:
    53
    very interesting.
     
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Why not use steganography on that keyfile as well, if you're going through with all that? I recommend OpenPuff.
     
  10. x942

    x942 Guest

    I do this! I use steghide myself. I am going to look into OpenPuff. :thumb:
     
Loading...
Thread Status:
Not open for further replies.